Search: Join / Multisearch: Unterschied zwischen den Versionen
Aus Wiki-WebPerfect
Admin (Diskussion | Beiträge) (|) |
Admin (Diskussion | Beiträge) |
||
| Zeile 25: | Zeile 25: | ||
| − | + | ||
| − | + | ||
| − | + | [[Kategorie:Splunk]] | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
Version vom 20. März 2019, 16:35 Uhr
Add fields from another index to my search
In the index "index1" the fields "field1_index2" and "field2_index2" is missing, but in the index "index2" there it is.
"Field1" from "index1" hast the same value as "field1_index2" from "index2"
Goal: Adding "field2_index2" from "index2" to the main-search of "index1"
Fields of Index1:
- field1
- field2
- field3
Fields of Index2:
- field1_index2
- field2_index2
Splunk-Search
index=index1 | sort field1 DESC | join type=left field1 [search index=index2 ealiest=-1d | rename field1_index2 AS field1 | fields field1, field2_index2] | table field1, field2, field3, field2_index2
